crossplane-contrib/provider-helm

secretKeyRef overwrites key name

stewartshea opened this issue · 0 comments

stewartshea commented

What happened?

Scenario: I'm using the provider-helm as a workaround (until crossplane-contrib/provider-kubernetes#21 is merged) to create a secret on a remote cluster. This secret is intended for use by flux, and takes in the flux-sync data keys as inputs to a very basic helm chart. Unfortunately, the key fields aren't being honored in the helm template, and instead, the valueFrom reference appears to overwrite the key name. This is a problem when the key name needs to be "identity.pub", but that type of naming is not possible (as far as I know) when setting the helm values (as it would assume that .pub is a child value of identity).

How can we reproduce it?

  • Sample helm chart template:
apiVersion: v1
kind: Secret
metadata:
  labels:
    app.kubernetes.io/instance: {{ .Release.Namespace | quote }}
    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
  name: {{ .Values.secret.name }}
  namespace:  {{ .Values.secret.namespace }}
type: Opaque
data:
  identity: {{ .Values.secret.data.identity | toString | b64enc | quote }}
  identity.pub: {{ .Values.secret.data.identity_pub | toString | b64enc | quote }}
  known_hosts: {{ .Values.secret.data.known_hosts | toString | b64enc | quote }}
  • Sample values.yaml
secret:
  name: "secret"
  namespace: "default"
  data:
    identity: ""
    identity_pub: ""
    known_hosts: ""

Sample Crossplane Helm Resource

---
apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
  name: secret-only
spec:
# rollbackLimit: 3
  forProvider:
    chart:
      name: secret-only
      repository: https://stewartshea.github.io/helm-charts/
    namespace: flux-system
    values:
      secret: 
        name: flux-sync
        namespace: flux-system 
    set: 
    - name: secret.data.identity
      valueFrom:     
        secretKeyRef:
          name: flux-sync
          namespace: flux-system
          key: identity
    - name: secret.data.identity_pub
      valueFrom:     
        secretKeyRef:
          name: flux-sync
          namespace: flux-system
          key: identity.pub  
    - name: secret.data.known_hosts
      valueFrom:     
        secretKeyRef:
          name: flux-sync
          namespace: flux-system
          key: known_hosts   
  providerConfigRef:
    name: providerconfig-helm

The above combination will create the secret on the remote cluster, but with a key titled identity_pub instead of "identity.pub" as specified by the helm chart. This could very well be a mistake on my end as I've not had to author a helm chart before but after quite a bit of testing it feels like crossplane-helm is just overwriting the key. I've changed the name from secret.data.identity_pub to other names, and indeed the key always matches what is in that field.

What environment did it happen in?

Crossplane version:

  • crossplane-1.6.1
  • crossplane/provider-helm:v0.9.0
  • GKE - v1.21.5-gke.1302